Hello,
In SailPoint ISC, entitlements can be assigned either:
Automatically through role-based defined assignments, or
Manually (e.g., via access requests).
I would like to identify:
Users who have entitlements not assigned through roles, and
The specific entitlements they hold.
If possible, I also want to limit the scope to a specific source.
Is there a recommended way in ISC (e.g., Search, Reports, or APIs) to achieve this?
Thank you.
From API you can check flag standalone:true if it is not assigned via role
Interesting. @amankumargupta What endpoint are you calling for that?
Hi @sxxnex ,
In Sailpoint iiq you can find this by detected roles ,but In ISC, there is no filter to clearly separate entitlements assigned via roles vs directly, but you can achieve this using API or search.
One approach is to use the Entitlements API / Accounts API and check the assignment type.
If Entitlement/role assigned through Access request ,it will Link as role membership
If it’s directly assigned from backend or target system,it will appear as standalone
Check this via API as
Standalone= true it means directly assigned from backend
Standalone= false assigned via access request
Have you tried using
grantedBy/assignmentType in filter and check
This should work.
Hit the search API with body as below :
{
“indices”: [
“identities”
],
“query”: {
“query”: “*”,
“innerHit”: {
“type”: “access”,
“query”: “standalone:true AND type:ENTITLEMENT AND source.name:\“Active Directory\””
}
},
“includeNested”: true,
“queryResultFilter”: {
“includes”: [
“name”,
“displayName”,
“access.name”,
“access.source.name”
]
}
}
@rahulb635 Brilliant. That works perfectly, thanks